Multi WAN load balance with IPsec?



  • Have a scenario where I need a site to site VPN where one end of the site has two WANs. The customer wants the WAN load balanced specifically for the IPsec so he can use the full bandwidth for backups to the secondary site. Not sure if this is possible or not. I was thinking that only failover is possible. Any thoughts here? Ideally, we dont want to use DynDNS. Thanks



  • Hi,
    I was in the same situation some times ago and thinking on how to get this working I got to the conclusion that this was not possibile.

    At the beginning I thought this may be done by creating two VPNs connections and then routing the traffic over one of them according to specific rules.

    But at the end I discovered that NATting to IPSEC connections was not possibile.
    If this is not true (I mean it is possible to NAT to IPSEC) then you can realize what you want.

    IT should work this way.
    In normal conditions you have:
    1VPN Site A - LAN addresses 192.168.1.0/24 - WAN1
    1VPN Site B - LAN addresses 192.168.0.0/24 - WAN1

    To add a second VPN
    1VPN Site A - LAN addresses 192.168.1.0/24 - WAN1
    2VPN Site A - additional LAN addresses 10.1.1.0 - WAN2

    1VPN Site B - LAN addresses 192.168.0.0/24 - WAN1
    2VPN Site B - additional LAN 10.1.2.0/24 - WAN1

    Now that you have two VPNs you must route traffic coming from a specific server/workstation to the other LAN.
    As I mentioned before I was not able to NAT from 192.168.X.X to 10.1.X.X over IPSEC and this is why my idea failed.



  • NAT has nothing to do with it. NATing IPsec connections is possible, but it does nothing for this scenario.

    It'd have to be routed in a means that isn't currently supported with IPsec. Might be possible with MLPPP over OpenVPN.


Log in to reply